[00:13.880 --> 00:20.180]  Hello, everyone. Welcome back. My name is Rubix1138, and I welcome you to the Thinkist
[00:20.180 --> 00:27.800]  Canary workshop. If you have not already joined us in the Discord chat, please go to
[00:27.800 --> 00:37.940]  blueteamvillage.org and click on DEF CON 28 and join us in the Discord. The text chat while we
[00:37.940 --> 00:45.840]  go through this presentation will be in the Texts Workshops Track 1 under Flamingo Hotel.
[00:45.840 --> 00:51.160]  Just scroll all the way down, go to Texts Workshops Track 1, and you can post your
[00:51.160 --> 00:58.920]  questions there. I'd like to welcome Adrian and Bradley from Thinkist. Go ahead, guys,
[00:58.920 --> 01:06.320]  take it away. Thank you. Hello, and thank you very much for that. That was a kind intro.
[01:08.280 --> 01:15.100]  And we are very excited to be here. And we're going to talk a little bit about how
[01:15.660 --> 01:23.100]  Canaries and Canary Tokens are now going to be integrated into OpenSOC and give you a little
[01:23.100 --> 01:29.540]  bit of context and background on them so you can understand how to use them when going through
[01:29.540 --> 01:38.320]  OpenSOC. So again, big, big thanks to OpenSOC. Really excited to be part of it and really glad
[01:38.320 --> 01:48.210]  that, you know, they thought to include us in this. All right, so what we're going to do first
[01:48.210 --> 01:53.610]  is just go through some slides real quick here. We'll go through some live demos as well. A lot
[01:53.610 --> 01:58.890]  of what you're going to see is kind of a mix of the commercial product and the free product.
[01:58.890 --> 02:05.570]  Really, the free stuff we have out there worked the same way. Same principles, same data you get
[02:05.570 --> 02:12.610]  in the alerts. Just for convenience and time sake, you know, you might see a little bit of the
[02:12.610 --> 02:21.290]  commercial product here. So some of our goals when we designed Canary and Canary Tokens was,
[02:21.290 --> 02:27.390]  you know, a tool that gets deployed and gets used is useful. So a lot of work went into making them
[02:27.390 --> 02:35.130]  super easy and simple to use. They take minutes to set up and deploy. So a lot of work goes into
[02:35.130 --> 02:41.950]  making them super easy to do that. And little to no maintenance, you know. So again, you know,
[02:41.950 --> 02:47.810]  for a tool to be useful, it has to function, you know. So any kind of maintenance, you know, we try
[02:47.810 --> 02:54.350]  and make non-existent or, you know, we can do it automatically for you in the background. Even a
[02:54.350 --> 03:01.430]  free tool, most of that you can just generate Canary Tokens, deploy them, forget them, deploy
[03:01.430 --> 03:09.270]  open Canary and pretty much forget about it until it sends you alerts. So yeah, and those alerts,
[03:09.270 --> 03:15.230]  that's a big goal also is, you know, how can we get this as close to zero false positives as possible?
[03:16.490 --> 03:23.570]  And ultimately, you know, the goal here is to know when it matters. To know when an attacker's
[03:23.570 --> 03:33.220]  in your environment as soon as possible, when it matters to know that. All right, so as I mentioned,
[03:33.220 --> 03:39.780]  our open source and free products here, open Canary is available. It's well documented.
[03:39.780 --> 03:46.200]  You can grab it from GitHub. I think the Docker container has been downloaded tens of thousands
[03:46.200 --> 03:52.360]  of times. So we know it's getting a lot of use out there. You know, the package has been installed
[03:52.360 --> 03:59.840]  and you can run your own Canary token server as well with a Docker container or you can use
[03:59.840 --> 04:06.680]  canarytokens.org. I think we have over 100,000 people using canarytokens.org. You don't even
[04:06.680 --> 04:11.160]  need to create an account to use it. You can just go there right now and start creating tokens and
[04:11.820 --> 04:15.360]  distributing them throughout your personal devices,
[04:15.360 --> 04:19.840]  you know, your production environment, wherever you want to use them. People use them all over.
[04:21.920 --> 04:28.320]  All right, so talking about the context a little bit here, what are these and why would you use
[04:28.320 --> 04:36.080]  them in a Blue Team environment or Open Sock? So the goal here is to let you know as soon as
[04:36.080 --> 04:41.580]  the attacker gets in the environment. So, you know, over the last couple of decades, dwell time
[04:41.580 --> 04:49.140]  is really long. Attackers are in environments way too long and they just, they go on undetected.
[04:49.140 --> 04:54.040]  And that's a problem we set out to solve here is, you know, what if we could get that dwell
[04:54.040 --> 04:59.540]  time down to minutes to when you at least know that there's something suspicious going on inside
[04:59.540 --> 05:06.500]  the environment. So that's the goal here is the attacker's already in the environment and doing
[05:06.500 --> 05:14.040]  suspicious things and that's what we alert on. So that's important context to understand.
[05:15.340 --> 05:20.220]  And how do we do that? So I've got a quick diagram here just to show you
[05:21.520 --> 05:25.940]  simply what we leverage to make our product work here, to make it win.
[05:26.760 --> 05:32.000]  And when an attacker gets in, they don't know where anything is in your environment. They don't,
[05:32.000 --> 05:35.980]  you know, unless they land on a Visio diagram, on a highly detailed Visio
[05:35.980 --> 05:39.320]  diagram, the moment they get in, they're going to have to explore the network.
[05:39.320 --> 05:42.940]  They're going to have to look around for what they're hoping to find.
[05:45.760 --> 05:51.020]  And if you drop in these canaries, which are honeypots, which can look like anything else
[05:51.020 --> 05:59.200]  in your network, anything from Windows Server 2016 to a Linux server, you know, the idea is
[05:59.200 --> 06:06.540]  it looks like a normal server, but there's no real reason anybody should be touching it or using it.
[06:06.780 --> 06:13.000]  So the attacker comes in, does that same exploration, and they start setting off alerts.
[06:15.700 --> 06:22.320]  And furthermore, when you take canary tokens, you can set traps throughout even more of the
[06:22.320 --> 06:27.580]  environment. You can make it even more tricky and difficult for the attacker to explore around the
[06:27.580 --> 06:33.060]  network without setting off even more of these alerts. So really what the attacker is doing,
[06:33.060 --> 06:37.800]  when you've deployed these traps around in your network, is they're painting a roadmap for you.
[06:37.800 --> 06:42.860]  They're painting a picture for where they're going, what they're doing, even their motivations,
[06:42.860 --> 06:48.500]  what servers are they targeting. When they open up some of these token files,
[06:48.500 --> 06:52.280]  what are the file names that are getting them to double-click that? You know, are they
[06:52.280 --> 06:57.440]  files that look like they have employee data, files that look like they have customer data,
[06:57.440 --> 07:00.700]  files that look like they just have more passwords so that they can pivot further
[07:00.700 --> 07:06.400]  into the environment? You know, a lot of strategies you can use when deploying both
[07:06.400 --> 07:11.220]  the canaries and the tokens here to understand what the attacker is doing, where they're going
[07:11.220 --> 07:22.610]  in your environment, and paint you a nice picture of what's going on. And of course,
[07:22.610 --> 07:27.330]  when those alarms do get set off, we want to make sure they go where you can get to them. In the
[07:27.330 --> 07:32.470]  context of OpenSOC, this is going to be Greylog. That's where you're going to see any canary token
[07:32.470 --> 07:38.830]  alerts or any canary alerts. Of course, you know, we can send them tons of other places, but that's
[07:38.830 --> 07:45.110]  where you're going to see them for OpenSOC. And we'll take a closer look at the kind of details
[07:45.110 --> 07:52.150]  that you're going to get in those alerts. So whereas canaries sit on the network and let you
[07:52.150 --> 07:59.010]  know when suspicious stuff is going on on your network, canary tokens can do it at a smaller
[07:59.010 --> 08:06.010]  level. So canary tokens can be a bit of code, can be a file, and highly complementary to the
[08:06.010 --> 08:11.570]  canaries. You can even have canary tokens on canaries or canary tokens within canary tokens,
[08:11.570 --> 08:17.950]  which sit on another place that is triggered by canary tokens. You can layer these really deep
[08:17.950 --> 08:23.430]  so that even if one or two aren't maybe triggered, you know, something is going to trigger if you
[08:23.430 --> 08:29.730]  deploy enough of these in your environment. And understand how these work and how you would use
[08:29.730 --> 08:35.090]  them or how you might see them used within OpenSOC. We're going to take a look at probably
[08:35.090 --> 08:42.410]  one of the most common and popular canary tokens that get used, which is just the WordDoc canary
[08:42.410 --> 08:51.310]  token. So in this scenario here, whoever's creating this canary token, you know, our canary
[08:51.310 --> 08:58.190]  user creates a WordCanary token. And this token can look like a real Word file. You can even
[08:58.190 --> 09:06.270]  upload an existing Word file. You can copy any kind of contents you want in it. Make it look
[09:06.270 --> 09:11.930]  as realistic as you want. And you're going to name it something the attacker wants. So really,
[09:11.930 --> 09:17.650]  thinking about this, you're fishing the attacker. You're using the same principles attackers use
[09:18.310 --> 09:23.150]  against us against them. You know, you're trying to trick them into opening a file,
[09:23.150 --> 09:28.610]  into taking an action that's going to trigger one of these tripwires, that's going to trigger
[09:28.610 --> 09:38.630]  some of these alerts, and let you know what the attacker's up to. So after they grab that,
[09:38.630 --> 09:44.190]  you know, maybe they send it off to someone else, you know, they're going to sell the data.
[09:44.910 --> 09:51.410]  But at this point, it doesn't matter. Anybody that opens this Word document, this token Word document,
[09:51.410 --> 09:56.810]  is going to set off an alert. As soon as it's opened, you know, before you've even seen the
[09:56.810 --> 10:01.230]  contents of that file, it could be blank. You know, it doesn't matter how clever the file
[10:01.230 --> 10:07.510]  is, how cleverly you've made the ruse, you could have just been lazy and left it completely blank.
[10:07.650 --> 10:12.010]  And by the time the attacker knows that, it's already sent off an alert with some of their data
[10:12.010 --> 10:19.390]  attached to that. And the Canary admin gets the alert and sees the details of who opened it,
[10:19.390 --> 10:25.830]  where they opened it. And you know what's going on, you know that that file has left
[10:25.830 --> 10:36.100]  that secure environment wherever you stored that file. Alright, so what can these alerts tell you?
[10:36.100 --> 10:39.680]  And at this point, we're going to jump into an interactive demo here.
[10:40.420 --> 10:53.550]  I'm going to leave the slides behind. Alright, see how big we can make this without it going
[10:53.550 --> 11:06.220]  off the screen here. Alright, so this is my console here. I've got two Canaries running.
[11:07.000 --> 11:14.360]  One looks like a Cisco and one is set up as a Synology NAS. And then I've got my command line
[11:14.360 --> 11:20.080]  here. I'm just going to use this to run some nmap scans against these hosts here, just so you can
[11:20.080 --> 11:25.920]  see what it looks like when one of these alerts does go off. So I'm going to copy this IP address,
[11:29.780 --> 11:39.400]  do a quick scan against it. Hopefully that's big enough to see there, make that larger.
[11:49.260 --> 11:54.400]  Alright, so the attacker sees this, they see what they would expect to see on a Cisco router,
[11:54.400 --> 11:58.880]  maybe an older Cisco router, it's still got Telnet open, MAC address is Cisco,
[11:59.160 --> 12:07.220]  the operating system looks like Cisco, looks like a Cisco 1921 router. And as you probably noticed
[12:07.220 --> 12:13.580]  there, as I ran that scan, we got a few alerts. So, you know, first thing we know when somebody
[12:13.580 --> 12:17.900]  scans a Canary, if you have port scan detection enabled, you're going to get alerts when you get
[12:17.900 --> 12:25.880]  scanned. And we can even tell that it was an nmap scan, you know, the OS flag and nmap is pretty
[12:25.880 --> 12:32.560]  easy to detect. Nothing else really looks like it. So we know when we've been, somebody's doing
[12:32.560 --> 12:39.560]  some OS fingerprinting with nmap specifically. So maybe the attacker tries to log into SSH,
[12:39.560 --> 12:44.080]  you know, they saw SSH was open here, maybe they're hoping for some default credentials.
[12:54.060 --> 13:00.180]  And just like SSH, you know, they try three times, you know, it doesn't work. There is no correct
[13:00.180 --> 13:05.680]  username or password that's going to get you into Canary. They just exist, all these services exist
[13:05.680 --> 13:10.140]  there for the attacker to spin their wheels, waste their time trying to get in. They could
[13:10.140 --> 13:15.960]  try to get in through the web config there, which is just basic auth, nothing fancy here.
[13:16.700 --> 13:22.060]  But they could, it could throw a brute force, you know, dictionary attack against it. All they're
[13:22.060 --> 13:26.980]  going to do is generate more and more alerts for you to see what they're doing. So already we have
[13:26.980 --> 13:31.180]  this picture here, you know, they painted this story of what they're trying to do. You know,
[13:31.180 --> 13:36.200]  they've scanned the network, they found something interesting, they tried to log into it,
[13:36.200 --> 13:40.320]  that didn't work. And they tried to log in a different way, that didn't work.
[13:40.700 --> 13:47.080]  And, you know, you can see what this attacker is trying to do. And the main thing you're going to
[13:47.080 --> 13:52.060]  use to pivot off of when you see an alert from one of these Canaries is probably going to be the
[13:52.060 --> 13:56.620]  source IP. So some of these details can help you as well. You can see the username and password
[13:56.620 --> 14:02.520]  that they tried. You can even see the remote SSH version that might tell you something about the
[14:02.520 --> 14:07.420]  host that they're trying to get in from. You know, so some of these details might help you.
[14:07.460 --> 14:13.820]  But this IP address and the reverse DNS, these are going to be the main things that you're
[14:13.820 --> 14:18.760]  probably going to pivot off of, looking through Greylog, looking through Moloch,
[14:18.760 --> 14:23.980]  some of these other tools, that's going to point you in the right direction. And then,
[14:23.980 --> 14:28.600]  the rest of the tools that you saw today, if you watch any of those presentations,
[14:29.040 --> 14:33.860]  those are going to help you build that investigation and figure out what's going on.
[14:36.820 --> 14:42.140]  When they do hit a web server on the Canary, browsers are nice enough to hand off the user
[14:42.140 --> 14:46.660]  agent that tells you a little bit more about the attacker. In this case, obviously, I'm using a Mac
[14:46.660 --> 14:52.480]  and that's revealed through it. Of course, an attacker could, you know, they can change their
[14:52.480 --> 14:59.660]  user agent. You know, they could even mask their IP address. But generally, you'd be able to tell
[14:59.660 --> 15:06.200]  if that's happening as well. You know, there's other ways of telling that. All right, so that's
[15:06.200 --> 15:16.660]  what that looks like. Just doing a scan and trying to log into a few things on the Cisco honeypot
[15:16.660 --> 15:22.040]  there. And this one, the Synology NAS, is also fairly interesting. We're going to do a quick
[15:22.040 --> 15:26.900]  scan of this one. It looks a little bit different. One of the key things that's different about it
[15:26.900 --> 15:34.880]  is it has a file share. So we're going to run a quick scan against it.
[15:36.760 --> 15:42.940]  Again, our results come back pretty quickly here. Mac address Synology services look like what
[15:42.940 --> 15:50.980]  you'd expect of a file share in a network storage device. They do run Linux, you know, and that's
[15:50.980 --> 15:57.740]  what comes back as. So, you know, maybe the attacker, any attacker that sees an open file share, you got
[15:57.740 --> 16:03.780]  to know what's on that file share, right? So we're going to pop in there and take a look.
[16:07.260 --> 16:11.140]  And by default, we're going to make it pretty easy for them to get on there. You know, you could
[16:11.140 --> 16:17.280]  lock it down, make them use some stolen credentials to get in there. But we really want to know what
[16:17.280 --> 16:21.860]  they're interested in. So we're going to make it easy. You know, so with a guest login, they can get on
[16:21.860 --> 16:26.760]  there. They can see the different files on there, you know, and this is where it gets interesting.
[16:26.760 --> 16:33.080]  If you've got files that look like they have different types of data, depending on what they
[16:33.080 --> 16:37.260]  go after, you know, maybe in this case, they're going to go after the router config. You know, they're
[16:37.260 --> 16:41.360]  still hung up on that Cisco router. They really want to get in there. They want to check out this
[16:41.360 --> 16:47.880]  config, see how it's configured. Bummer, looks like the file's password protected. That's as far as
[16:47.880 --> 16:52.680]  they go with that. Maybe they're trying on a few others here. But you get to see which files
[16:52.680 --> 16:58.260]  they're interested in, which files they go after. So we see here in the alert, they went right after
[16:58.260 --> 17:05.340]  that Cisco router config. And again, by now, you know, this has painted a pretty nice picture.
[17:05.340 --> 17:10.780]  You know, we know who the attacker is. We know they're scanning the network, and we know
[17:10.780 --> 17:16.060]  they're trying to get into things. So pretty clear picture of what's going on. And that's really
[17:16.060 --> 17:21.080]  the goal of the product here, is to paint a clear picture that, you know, that yes, this is
[17:21.080 --> 17:28.740]  probably a malicious attack, and we need to investigate it. That early breach detection.
[17:28.740 --> 17:31.900]  So now you're going to take that, you're going to pivot to other tools,
[17:31.900 --> 17:37.880]  and you're going to start to dive deeper. So I'm going to clean up these alerts real quick here.
[17:42.240 --> 17:51.360]  And we will talk a bit about canary tokens. So like I mentioned before, where canaries let you
[17:51.360 --> 17:56.900]  know when suspicious stuff is going on in the network, as we saw with scans, login attempts there,
[17:56.900 --> 18:02.660]  canary tokens, you can go even deeper. You can complement that. Some of those files in that file
[18:02.660 --> 18:07.980]  share I just showed you could have been token files. And what that means, so in the case of
[18:07.980 --> 18:15.200]  the Word doc here, and as I mentioned before, you can even upload your own Word doc. So I can take
[18:15.200 --> 18:23.620]  my fake pen test results here. I can just, I need to give it a memo. So one of the key things here
[18:23.620 --> 18:31.440]  is you really want to use one token per location. So, you know, maybe I'm going to put this on my
[18:31.440 --> 18:40.880]  secret flash drive. I don't know why it's secret. It's just a flash drive. I only have one flash
[18:40.880 --> 18:47.740]  drive. Let's say that. So I'm going to put that there. I'm not going to put it in my email. I'm
[18:47.740 --> 18:52.860]  not going to put it on my desktop. It's only going to exist on that flash drive. So if I see
[18:52.860 --> 18:57.560]  any alert from this canary token, I know somebody's got my flash drive.
[18:59.740 --> 19:04.000]  Simple as that, because that's the only way somebody could have found this token.
[19:05.680 --> 19:11.900]  So we download that. And remember, this was an existing Word doc that I had.
[19:12.800 --> 19:19.300]  You know, I haven't done anything special to this. It's just a normal Word doc that you can grab,
[19:19.300 --> 19:26.060]  you can upload, and we've just added a token to it. So the attacker opens it up. There's
[19:26.060 --> 19:33.240]  no indication that this canary token has sent out anything. There's no indication that
[19:33.700 --> 19:41.160]  the attacker has fallen into a trap here. But in fact, it has sent out several alerts.
[19:42.160 --> 19:49.980]  Our Word doc canary tokens have what we call our DNS primitive, our DNS tokens embedded within it,
[19:49.980 --> 19:55.040]  and our web tokens embedded within it. And part of the reason we do that is because it doubles
[19:55.040 --> 20:02.060]  our chance of getting the alert out. On some networks, maybe HTTP port 80 isn't allowed
[20:02.060 --> 20:08.980]  outbound. You know, only HTTPS is allowed outbound. So this wouldn't have gotten back
[20:08.980 --> 20:15.820]  to the console. But as long as the person that opened that Word file had working DNS,
[20:15.820 --> 20:21.760]  we would still get that back. You know, so we've got a really good chance of knowing when somebody
[20:21.760 --> 20:28.760]  opens one of these Word docs. And you can see we get a, you know, the user agent here doesn't give
[20:28.760 --> 20:33.820]  as many details, but we can see what version of Office they've got. But the key information here
[20:33.820 --> 20:40.660]  is somebody would have had to have physical access to my flash drive for this alert to trigger. And
[20:40.660 --> 20:45.120]  they were interested in this file out of all the files that were on my flash drive. This is,
[20:45.120 --> 20:50.560]  you know, the first token file that they opened. Let's say I had multiple token files on there with,
[20:51.040 --> 20:55.840]  you know, different file names suggesting they have different types of data in them.
[20:55.840 --> 20:59.760]  And they went after this one first. So that's useful to me also.
[21:00.140 --> 21:07.860]  And then I've got the, you know, both the DNS server that handed off that DNS token that triggered.
[21:07.860 --> 21:15.120]  And then the web token got out as well. So, you know, that's my actual IP address that's assigned
[21:15.120 --> 21:21.080]  to me by my ISP. That's what the web server sees when this Word document opens and it reaches back
[21:21.080 --> 21:25.480]  the canary token server that lives on the console here.
[21:25.880 --> 21:31.100]  So a couple useful pieces of information there that I can leverage.
[21:34.460 --> 21:42.060]  So, yeah, that's the Word.canary token. We do have, as you can see here, there's different
[21:42.060 --> 21:48.700]  tokens for all sorts of different purposes. And this is pretty similar to what canarytokens.org
[21:49.280 --> 21:54.740]  shows. I think we have almost every single one of these tokens there as well.
[21:54.880 --> 21:58.480]  The other one I'm going to show you here is the QR code token.
[21:59.100 --> 22:04.680]  This is a fun one because it's very versatile. There's a lot of ways that we see QR codes used
[22:04.680 --> 22:15.420]  in technology today. So setting up your multi-factor authentication, setting up,
[22:15.420 --> 22:24.640]  um, enrollment, you know, maybe into your MDM, EMM product. You know, you see them out and about
[22:24.640 --> 22:30.020]  in physical places all the time. You know, scan here for more information about this house that's
[22:30.020 --> 22:34.900]  for sale, that kind of thing. So the sky's the limit for how you can use these. You can use
[22:34.900 --> 22:41.260]  them digitally or you can use them in physical environments. So let's say I want to know if
[22:41.260 --> 22:46.480]  somebody gets into Adrian's lunchbox. You know, I don't want to know if somebody's just touched
[22:46.480 --> 22:58.160]  my lunchbox. I want to know if they've actually opened it. Because I've stuck this QR code on the
[22:58.160 --> 23:05.260]  inside of my lunchbox. I've printed this out, stuck it in there, um, you know, maybe put some
[23:05.260 --> 23:12.180]  text around it like, uh, recipe for Adrian's, uh, you know, Adrian's secret recipe, you know,
[23:12.180 --> 23:17.860]  handed down through the generations. Something to that, uh, that respect. You know, something
[23:17.860 --> 23:25.500]  somebody would be really interested in scanning. So I put this QR code there. If I ever get an
[23:25.500 --> 23:30.280]  alert on this, I know somebody has not only touched my lunchbox, but they've opened it up,
[23:30.280 --> 23:34.660]  they spotted the QR code on the inside, they read the words around it, and they chose to scan it
[23:34.660 --> 23:39.920]  with their phone. You know, that's the only way I would get that figure. So that's the power there.
[23:39.920 --> 23:45.360]  And, uh, we've seen people put these in all kinds of locations. Um, I think one of my favorites
[23:45.920 --> 23:50.940]  is somebody told me that the, uh, they print this out on a sheet of paper, they put the words
[23:50.940 --> 23:55.820]  Microsoft Authentic Recovery, uh, around it, and they just leave that sheet of paper on their desk
[23:55.820 --> 24:05.760]  at work and just wait. And, uh, that's great. Four people are checking out my lunchbox.
[24:05.760 --> 24:10.020]  They want to see that secret recipe. I know this one is me. You know, we, first of all,
[24:10.020 --> 24:14.780]  we just saw that source IP. Everybody knows this is me by now. Uh, we'll actually do a
[24:14.780 --> 24:22.020]  GeoIP look up here, um, get some details there. Uh, and, uh, you know, we can even see what kind
[24:22.020 --> 24:27.840]  of phone I'm using here. You know, we, you get different, uh, details out of these user agents,
[24:27.840 --> 24:33.560]  depending on, on how they're scanned, what devices scan them. Um, you know, so maybe
[24:33.560 --> 24:39.100]  there's some crazy situation where that, those kinds of details are useful. But, um, you know,
[24:39.100 --> 24:45.440]  the key point here again is I've only put this token one place. You know, it took me 30 seconds
[24:45.440 --> 24:51.320]  to do it, to scan it out, uh, tape it to the inside of my lunchbox. Um, but I can just leave
[24:51.320 --> 24:56.540]  it there forever. And if I ever get a trigger off of that, I know that somebody has been in that
[24:56.540 --> 25:01.060]  lunchbox. And maybe that lunchbox is, maybe it's not a lunchbox. Maybe it's a data center. Maybe
[25:01.060 --> 25:06.940]  it's a network closet. Maybe it's underneath the battery on a laptop, you know, all kinds of
[25:06.940 --> 25:11.420]  different places that you could hide these. It looks like we've got somebody from Oklahoma that
[25:11.420 --> 25:15.520]  scanned it. Again, you know, if you're coming through a VPN or something like that, that would
[25:15.520 --> 25:25.660]  be reflected here. Uh, but we've got, uh, an Android, uh, Pixel 3 XL. Um, we've got, uh,
[25:25.660 --> 25:32.580]  Mission Viejo, somebody coming from California. And, uh, a lot of these user agents will, um,
[25:32.580 --> 25:37.720]  refer to the application used, uh, to open it. Like I think that previous one we looked at,
[25:37.720 --> 25:45.560]  uh, ZXING, that's a barcode scanner app. And then one more here, uh, that would be Bradley.
[25:46.280 --> 25:52.900]  Uh, Bradley's in, uh, up very early in the morning in South Africa and scanned it with his iPhone.
[25:56.170 --> 26:02.150]  So hope that helps to, to demonstrate the, the power of how you can use these tokens, um,
[26:02.150 --> 26:06.750]  and, and how the canaries are used. And most importantly, when you see alerts from these,
[26:06.750 --> 26:11.110]  understanding what the attacker had to do to trigger those alerts and what it tells you about
[26:11.110 --> 26:16.590]  the attacker, where they are, and maybe even their, their motivations and where they're going to go
[26:16.590 --> 26:24.170]  next. And help you pivot between, uh, some of the different applications here. So really that's,
[26:24.690 --> 26:29.170]  that's it in a nutshell. I think we still have 20 minutes. If there's any questions,
[26:29.170 --> 26:36.330]  we could absolutely take some of those. Bradley, I appreciate it. This was a great,
[26:36.330 --> 26:40.290]  uh, great presentation. I did mark down a couple of questions that were asked during the
[26:40.290 --> 26:47.290]  presentation. Uh, does carrot, does canary token create, uh, or does the canary token created
[26:47.930 --> 26:53.610]  based off of the session plus protocol plus application? Is that, uh, uniquely identified?
[26:55.930 --> 27:05.870]  Um, I'm not sure I understand the question. Um, based off the... so it might help to talk about
[27:05.870 --> 27:10.430]  the primitives a bit more. That, that might answer the question if I talk about the web and DNS
[27:10.430 --> 27:17.830]  tokens that are kind of, uh, sit behind this. Yeah, I think that would be, um, the way to go,
[27:17.830 --> 27:22.910]  Adrian, is to look at how the token is being created. Because I think the question is related
[27:22.910 --> 27:31.910]  to whether it's being tripped by the protocol or the application. Okay. Yeah. So first one I'm
[27:31.910 --> 27:38.670]  going to create here is a web token. And I'm going to create a fake email in my inbox that makes it
[27:38.670 --> 27:44.370]  looks like, uh, if an attacker gets in my inbox, maybe they get all my passwords. They get access
[27:44.370 --> 27:52.530]  to my last pass instance or something like that. So I can take this web token and I'm going to
[27:52.530 --> 27:59.070]  create a link in this email that this fake email that I put in my inbox, and I'm gonna basically,
[27:59.070 --> 28:04.590]  uh, phish, you know, or social engineer the attacker into clicking it. And so what we're
[28:04.590 --> 28:10.010]  actually calling a token is this bit right here. This is the actual token that the web server is
[28:10.010 --> 28:15.890]  looking for. And this address here, and if you're using canarytokens.org, you know, it would be
[28:15.890 --> 28:20.330]  something based on that. You can run your own canary token server, use it on your own domain,
[28:20.970 --> 28:26.630]  you know, run your own docker canary token server. So this could be anything you want.
[28:26.650 --> 28:32.810]  This could also be anything you want. You know, we could name that admin files. We could name this
[28:36.370 --> 28:41.350]  password.db. And that's still going to trigger an alert when we go to that.
[28:42.470 --> 28:48.690]  So at its base component, and when we just demonstrated the QR code token, that's just
[28:48.690 --> 28:55.710]  using an embedded web token. So super simple way of doing it by reaching out, touching a web server
[28:56.430 --> 29:02.890]  with this token here, we know to map that back to Adrian's inbox. We know that that's the token
[29:02.890 --> 29:11.110]  associated with this memo, with this reminder that I set for myself. So I hope that answers
[29:11.110 --> 29:19.470]  the question of how that, how the token itself works. And that's the same token that we have
[29:19.470 --> 29:25.550]  embedded in a lot of these other ones. So the word file has a web token embedded in it.
[29:26.190 --> 29:30.670]  You know, I mentioned the QR code does, you know, and several of these others do.
[29:30.850 --> 29:39.430]  The other, what we call our token primitive is DNS. So again, there's ways to get,
[29:39.430 --> 29:47.930]  if somebody gets in my inbox, we can get a DNS name to resolve. So if I were to just copy this
[29:47.930 --> 29:53.950]  DNS name, and again, here, this bit is the token, you can tell kind of from the length of it.
[29:53.950 --> 30:00.210]  And really, it's a C name on the front of this domain, you know, that maps back to us.
[30:01.090 --> 30:04.750]  So if I do an NS lookup on that,
[30:05.350 --> 30:13.590]  I get an alert. So wherever I've, that NS address, if anyone resolves it, if it gets resolved for
[30:13.590 --> 30:19.630]  any reason, maybe I'm just sending it in clear text on the network. Somebody captures that
[30:19.630 --> 30:24.150]  traffic with Wireshark, and they view that traffic, and they tell Wireshark to resolve
[30:24.150 --> 30:28.230]  all the DNS addresses, that would trigger it, you know, something as simple as that.
[30:28.230 --> 30:36.050]  But if I can find files, you know, any kind of tricks, any kind of ways to get a DNS
[30:36.050 --> 30:41.950]  address resolved, that can trigger a token and send me an alert.
[30:43.170 --> 30:50.130]  Yeah, just to add on to what Adrian mentioned, is that we're embedding HTTP requests and a DNS
[30:50.130 --> 30:57.190]  request inside of a document, and we're relying on, when the document gets opened with MS Word,
[30:57.190 --> 31:05.590]  for instance, MS Word reaches out with those, to those URLs of the DNS. So it's MS Word,
[31:05.590 --> 31:09.930]  the application itself, that's looking up those requests that I embedded into the
[31:09.930 --> 31:12.870]  document, and that's what's triggering the alert.
[31:14.250 --> 31:18.310]  Yeah, and that's important to note, you know, some of these require action from the attacker,
[31:18.310 --> 31:23.570]  like in my example of the fake email in my inbox, I've got to get, I've got to convince
[31:23.570 --> 31:29.170]  them to click that link. In other cases, like Bradley's example with the Word doc,
[31:29.170 --> 31:33.890]  simply opening it is all they need to do. You know, they don't see it,
[31:33.890 --> 31:39.090]  it happens in the background, they don't even know that those alerts have been triggered.
[31:40.530 --> 31:42.890]  And there's nothing else that they need to do.
[31:48.390 --> 31:54.510]  Well, I appreciate it. Thank you, Bradley. Thank you, Adrian. This has been a great presentation.
[31:54.510 --> 32:04.610]  So this concludes the presentation for the workshop for Canary. In any case, if you have
[32:04.610 --> 32:10.590]  any follow-up questions, the speakers will be around in the Discord for a few minutes. And
[32:10.590 --> 32:18.390]  again, the Discord that we are chatting in is the text dash workshops dash track one,
[32:18.390 --> 32:22.970]  in the Flamingo Hotel group, just scroll all the way down to the bottom.
[32:23.510 --> 32:28.070]  And so if you guys could sort of come down, I think there's a couple of questions. If you
[32:28.070 --> 32:32.530]  have some follow-up, that would be great. Otherwise, I appreciate everybody listening
[32:32.530 --> 32:34.870]  in today and thank you very much for attending.
